| 9331 |
2023-10-25 11:20
|
 smss.exe 841031a37159398b8eebca7bb7eff56b
Formbook AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
1
http://www.mania-31.online/rs10/?RVlPiv=tmhWCCuUnR/2p22+r5vsD84Rn13KUgX1rgHj59z166BF2ySpaKINgv8s/QUWtH6HwzUj1/+r&QL3=uTypB4hPUby4i
|
3
www.mania-31.online(172.67.179.47)
www.burneysaw.com()
104.21.96.114
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.6 |
M |
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9332 |
2023-10-25 11:18
|
 sbin22zx.exe 78d449904f1a8a3000a3ba549dba764e
Formbook .NET framework(MSIL) AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself crashed |
3
http://www.verglastrading.com/o5pf/?mfsl7bH=24DNDnrDcx6L3afu5G1pkrBprLMzzQPg6Xzu90F1O+mCQnlaWpmaey15xXgKFEq13OCFUf2W&lZB=UFQL6bspOrB8clA
http://www.dunamistrainingco.com/o5pf/?mfsl7bH=M65aXi2UcAQn8718tEf3TkBOasjwjM7dajGYfqZwQUoD/VZKFFr8D11HJhntAT8u92hoG1AP&lZB=UFQL6bspOrB8clA
http://www.megpt.chat/o5pf/?mfsl7bH=E+bgnEcwb41II7cnnt+h2mzNG/BCb3QKnbvPFJefYzLGoeJCAYodXDovcmtnYxWVA45lpWIQ&lZB=UFQL6bspOrB8clA
|
6
www.dunamistrainingco.com(198.49.23.144)
www.verglastrading.com(172.67.208.208)
www.megpt.chat(91.195.240.19)
91.195.240.19 - mailcious
104.21.23.42
198.185.159.145 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
9.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9333 |
2023-10-25 11:16
|
 audiodgse.exe 3059a8f7e4b873219bc3dc4d510e936a
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9334 |
2023-10-25 11:16
|
 kung.exe f6e91ab67abb675d4893f49397629d95
Malicious Packer PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory AntiVM_Disk suspicious TLD VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software crashed |
1
http://sempersim.su/a16/fre.php
|
2
sempersim.su(104.237.252.65) - mailcious
104.237.252.65 - mailcious
|
6
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
|
|
8.0 |
M |
66 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9335 |
2023-10-25 11:00
|
HTMLprofile.doc 5342b58b3951c40f8e5eb08f5d9824be
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash Tofsee Windows Exploit Google DNS crashed |
7
http://141.98.6.91/72/Audiodgse.exe
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adnh37obenwknkqmvhcw72i7qsia_417/lmelglejhemejginpboagddgdfbepgmp_417_all_ZZ_kqkdtq7va5rvur2kfj67x5s2gi.crx3
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwcdm4bj7lx4xbm2ireywxlhvca_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ad3rm3ciqs3fjr4bc4x5vwuildeq_9.49.1/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.49.1_all_ixzyrcu7pvmgu5pjv6enfqq6wa.crx3
http://edgedl.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe
https://update.googleapis.com/service/update2
https://update.googleapis.com/service/update2?cup2key=11:ucciJXz2DRnbg3OLFhEKLNT1Ho4HCaExqeDsDp12_7M&cup2hreq=8650510305d18db3aa4a81c1579e660f081ba8e1c5014aaf087a8fc498361059
|
30
edgedl.me.gvt1.com(34.104.35.123)
dns.google(8.8.4.4)
www.google.com(142.250.76.132)
clients2.googleusercontent.com(172.217.161.225)
www.gstatic.com(142.250.206.227)
accounts.google.com(142.250.206.205)
_googlecast._tcp.local()
apis.google.com(142.251.222.14)
clientservices.googleapis.com(142.250.206.195)
r1---sn-3u-bh2ss.gvt1.com(211.114.64.12)
142.250.204.35
142.250.206.238 - mailcious
172.217.25.1 - malware
141.98.6.91 - mailcious
211.114.64.12
142.250.206.234 - malware
142.251.220.46
142.250.206.195
172.217.25.3
34.104.35.123
142.250.76.131
142.250.199.68
142.251.220.109
172.217.24.68
172.217.161.225 - mailcious
142.251.220.110
172.217.24.67
142.250.207.106 - malware
142.250.199.67
172.217.25.174 - mailcious
|
9
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
|
|
4.4 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9336 |
2023-10-25 10:55
|
HTMLCacheCentos.doc b1e8cf61c7cef7569de508e08785dadf
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Exploit crashed |
|
|
|
|
2.6 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9337 |
2023-10-25 10:53
|
 ImxyQs.exe 6b99673a78e02bdd536e208b986c5b4d
.NET framework(MSIL) PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger unpack itself ComputerName |
1
https://img.proxies.world/u/70uSlf.dat
|
|
|
|
2.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9338 |
2023-10-25 10:48
|
HTMLCacheCentos.dOC b39f481790c393d21234af0ced69da7a
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash Tofsee Exploit crashed |
|
2
toss.is(45.33.42.226) - mailcious
45.33.42.226 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA Applayer Wrong direction first Data
|
|
2.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9339 |
2023-10-25 10:37
|
HTMLCachesClear.dOC ae797eafb49080484af9350259e7920a
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash Tofsee Exploit crashed |
|
2
toss.is(45.33.42.226)
45.33.42.226
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA Applayer Wrong direction first Data
|
|
2.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9340 |
2023-10-25 09:54
|
 setup.exe fe90648e5db0ee19d7dcae2a5f4acc25
Malicious Library PE File PE32 VirusTotal Malware WMI Creates executable files RWX flags setting Checks Bios anti-virtualization ComputerName |
|
|
|
|
4.2 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9341 |
2023-10-25 09:54
|
HTMLCacheCentos.dOC b39f481790c393d21234af0ced69da7a
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself Tofsee Exploit crashed |
|
2
toss.is(45.33.42.226)
45.33.42.226
|
3
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Wrong direction first Data
|
|
2.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9342 |
2023-10-25 09:52
|
 201.exe 6c13146feeabc071309b41335514bf99
Themida Packer Malicious Library UPX Http API ScreenShot Internet API AntiDebug AntiVM PE File PE32 .NET EXE DLL OS Processor Check Browser Info Stealer Malware download VirusTotal Malware Cryptocurrency wallets Cryptocurrency Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare AppData folder sandbox evasion VMware anti-virtualization installed browsers check Ransomware Lumma Stealer Windows Browser ComputerName Firmware Cryptographic key crashed |
1
|
2
butchane.fun(104.21.1.169)
104.21.1.169
|
2
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
|
|
16.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9343 |
2023-10-25 09:52
|
HTMLprofile.dOC 2885bbb18db2fc076e129a10729faadb
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself Tofsee Exploit crashed |
2
http://toss.is/6*WW4F
http://141.98.6.91/2010/1/MAH.vbs
|
2
toss.is(45.33.42.226)
45.33.42.226
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA Applayer Wrong direction first Data
|
|
3.2 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9344 |
2023-10-25 09:50
|
HTMLCachesClear.dOC ae797eafb49080484af9350259e7920a
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Tofsee Exploit crashed |
|
2
toss.is(45.33.42.226)
45.33.42.226
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA Applayer Wrong direction first Data
|
|
2.6 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9345 |
2023-10-25 09:49
|
 timeSync.exe b493dabf9da2cf24146955b3c9aeb7be
Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|